You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
178 lines
4.8 KiB
178 lines
4.8 KiB
#!/bin/bash
|
|
|
|
# Smart Card Authentication Helper (c) 2009 Timothy Pearson
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
get_file () {
|
|
if [[ $COMMAND_MODE == "acos" ]]; then
|
|
# Select EF $1 under DF 1000
|
|
echo "$SELECT_FILE $1" > query
|
|
scriptor_standalone query 1> response2
|
|
echo $(cat response2)
|
|
|
|
# Read binary
|
|
echo "$READ_BINARY" > query
|
|
scriptor_standalone query 1> response2
|
|
authokresponse="90 00 : Normal processing"
|
|
response1=$(cat response2 | grep "$authokresponse")
|
|
if [[ $response1 != "" ]]; then
|
|
cat response2 | tr -d '\n' > response4
|
|
stringtoreplace="Using T=0 protocol00 B0 00 00 FF> 00 B0 00 00 FF< "
|
|
newstring=""
|
|
sed -i "s#${stringtoreplace}#${newstring}#g" response4
|
|
stringtoreplace=" 90 00 : Normal processing."
|
|
newstring=""
|
|
sed -i "s#${stringtoreplace}#${newstring}#g" response4
|
|
if [[ $2 == "text" ]]; then
|
|
stringtoreplace=" 00"
|
|
newstring=""
|
|
sed -i "s#${stringtoreplace}#${newstring}#g" response4
|
|
fi
|
|
echo $(cat response4)
|
|
rm -f lukskey
|
|
xxd -r -p response4 lukskey
|
|
RESPONSE=lukskey
|
|
fi
|
|
fi
|
|
|
|
if [[ $COMMAND_MODE == "cryptoflex" ]]; then
|
|
echo "get $1" | opensc-explorer
|
|
RESPONSE="3F00_$1"
|
|
fi
|
|
}
|
|
|
|
# Initialize pcscd
|
|
killall pcscd &
|
|
sleep 1
|
|
pcscd &
|
|
sleep 1
|
|
|
|
# Get card ATR
|
|
echo "RESET" > query
|
|
scriptor_standalone query 1> response2
|
|
authokresponse="OK: "
|
|
response1=$(cat response2 | grep "$authokresponse")
|
|
if [[ $response1 != "" ]]; then
|
|
cat response2 | tr -d '\n' > response4
|
|
stringtoreplace="Using T=0 protocolRESET> RESET< OK: "
|
|
newstring=""
|
|
sed -i "s#${stringtoreplace}#${newstring}#g" response4
|
|
smartatr=$(cat response4)
|
|
echo "Got ATR: $smartatr"
|
|
if [[ $smartatr == "3B BE 18 00 00 41 05 10 00 00 00 00 00 00 00 00 00 90 00 " ]]; then
|
|
echo "Detected ACOS5 card"
|
|
COMMAND_MODE="acos"
|
|
fi
|
|
if [[ $smartatr == "3B 02 14 50 " ]]; then
|
|
echo "Detected Schlumberger CryptoFlex card"
|
|
COMMAND_MODE="cryptoflex"
|
|
fi
|
|
else
|
|
echo "No card detected!"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ $COMMAND_MODE == "cryptoflex" ]]; then
|
|
GET_CHALLENGE="C0 84 00 00 08"
|
|
EXTERNAL_AUTH="C0 82 00 00 07 01"
|
|
SELECT_FILE="C0 A4 00 00 02"
|
|
DELETE_FILE="F0 E4 00 00 02"
|
|
fi
|
|
|
|
if [[ $COMMAND_MODE == "acos" ]]; then
|
|
GET_CHALLENGE="00 84 00 00 08"
|
|
EXTERNAL_AUTH="00 82 00 83 08" # Key 3
|
|
SELECT_FILE="00 A4 00 00 02"
|
|
DELETE_FILE="00 E4 00 00 00"
|
|
READ_BINARY="00 B0 00 00 FF"
|
|
UPDATE_BINARY="00 D6 00 00 FF"
|
|
ACTIVATE_FILE="00 44 00 00 02"
|
|
fi
|
|
|
|
# Authenticate card
|
|
if [[ $COMMAND_MODE == "acos" ]]; then
|
|
# Select MF
|
|
echo "00 A4 00 00 00" > query
|
|
scriptor_standalone query 1> response2
|
|
echo $(cat response2)
|
|
|
|
# Select DF 1000 under MF
|
|
echo "$SELECT_FILE 10 00" > query
|
|
scriptor_standalone query 1> response2
|
|
echo $(cat response2)
|
|
fi
|
|
|
|
echo $GET_CHALLENGE > authscript
|
|
|
|
scriptor_standalone authscript | grep 'Normal processing' > challenge
|
|
perl -pi -e 's/ //g' challenge
|
|
perl -pi -e 's/:Normalprocessing.//g' challenge
|
|
perl -pi -e 's/<//g' challenge
|
|
xxd -r -p challenge challenge
|
|
|
|
# Now DES encrypt the challenge
|
|
# Later, change the initialization vector to random if possible
|
|
openssl des-ecb -in challenge -out response -K <your key in hexidecimal> -iv 1
|
|
|
|
if [[ $COMMAND_MODE == "acos" ]]; then
|
|
# Truncate to 8 bytes
|
|
dd if=response of=response2 bs=1 count=8
|
|
|
|
# Expand to standard hex listing format
|
|
xxd -g 1 response2 response
|
|
dd if=response of=response2 bs=1 count=23 skip=9
|
|
fi
|
|
|
|
if [[ $COMMAND_MODE == "cryptoflex" ]]; then
|
|
# Truncate to 6 bytes
|
|
dd if=response of=response2 bs=1 count=6
|
|
|
|
# Expand to standard hex listing format
|
|
xxd -g 1 response2 response
|
|
dd if=response of=response2 bs=1 count=17 skip=9
|
|
fi
|
|
|
|
# Assemble the response file
|
|
response2=$(cat response2)
|
|
response1="$EXTERNAL_AUTH ${response2}"
|
|
echo $response1 > response
|
|
|
|
# Send the response!
|
|
scriptor_standalone response > response2
|
|
|
|
# Get the result
|
|
authokresponse="< 90 00 : Normal processing"
|
|
response1=$(cat response2 | grep "$authokresponse")
|
|
echo $response1
|
|
if [[ $response1 != "" ]]; then
|
|
echo "Smart card validation successfull!"
|
|
# Get encryption key
|
|
if [[ $COMMAND_MODE == "acos" ]]; then
|
|
get_file "10 01"
|
|
fi
|
|
|
|
if [[ $COMMAND_MODE == "cryptoflex" ]]; then
|
|
get_file "1001"
|
|
fi
|
|
mv $RESPONSE smart.key
|
|
else
|
|
echo "Authentication failed!"
|
|
fi
|
|
|
|
rm authscript &
|
|
rm response &
|
|
rm response2 &
|
|
rm challenge &
|